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hy.:,enfuil Dan: Diiplicaidfhas been up^iaded 
10 version 4. New features like Ihe hi-rcs disk 
scan and examine disk drive are now ineludcd. 
Like tlie three version before a bilcopy .seems 
hopeless. This is due to tlie very precise 
syneroniz.atiiin roulines used when the program 
was recorded. Only the tracks from $00 to 
$iSD- are used and are written usii^ the 4 by 
4 nibble encoding scheme. However there is 
one thing you shou!d never forget: There are 
NO unbreakable protection schemes. Thi.^ is 
true for ai least one reason, the program must 
somehow load into the machine So if you can 
follow Ihe boot of" the program you could 
(evennially) unproteei any program. Being able 
to "Bool code Trace" a program is a valuable 
Skill. I say skill because, the loading of each 
program will change and the loader wiU try 
cVbty trick in the book to hide what it is dping. 

The theory behind boot codteti^ing EgH^ 
on two things. First, there is a pVb^fti iii'ltSM 
on the disk citnlrollcr card that will .start the 
loading <ji all programs. This program will load 
in sector SO0 of track SOO. If the number 
located ai $800 is one then control will be 
passed to $801. If S800 has a number larger 
Jban one the rom code will load in niore sectors. 
Electronic Aits is- famous for loading' in five 
to sixteen sectors to start the boot . Second, 
you where to move this program down to RAI^ 
you could change it to do anything you would 
like. The following will give a basic example 
of this technique. 

To begin, move the boot ROM down so we 
can modify it to jiimp' to the iniwiitCN:. 

'^GOQKceoQi.ceFfnt 

.^3:.4C S9 FF 

TftsMt the original EMJ^. and start the boot. 
HBODG 

^,Lteting.,ia!Rmg^.tts $&M> PmnM end I 
^icjced for jumps tiie^net^ s^e of th^lbaS^.. 



COMPUTIST 49 



At S8AD you will find a JMP $400, this is the 
siart of what is known as BpOTl or the first 
boot stage. This is a jump into the text page, 
so we will have to move it up to examJiie it. 

To do this three things must be done. One, 
we must change the code to maintain control 
and move the lexi page memory up. Two, you 
will also hLiv^ to L-hange the loading page of the 
zero seclor, so ihe nioiJiliod bool will not be 
overwriiien. Third and lasi. you must redirect 
ihe boot zero code at $8600 from the monitOT 
to modified first stage .code. 

Jump li' 'Ih' "fiiv tni^thu' 



SAD -40 00 0F 


JMP S0F00 


bjQil Mrriii' tnTD-i 


mm. 


8659:80 




■£oimiie !he hou\ 




B6F8:4C01 08 


MP S0801 


The mciuory 


move: 


.Four pagesio move 






USX #$04- 


Slarl al lero 




F02;A000 


LDV #$00 


Loiid a hyie jfrim iht mi page 


F04:B9 00 04 


LDftS0400.Y 


Slore il ill a safe pkce 




F07:99 00 U 


STASUlM.V 


Jncfe^ Ihe pokier 




m 


Moyf a jail page 




F0B';D0F7 




lammem ihe leii pffff 


F0D:EE 06 BF' 


INCi0F06 


Inii't'iic'U iVif Moft^ hciiiiiirr 


F10:EE 09 0F 


INC $0F09 


Oaf ofpusa m niDi'c 




F13:CA 


DEX 


1^0, fheil rrrjjij' niiin' 




F14:D0 EE 


BNE S0F04 


Yu.imp III ihe inmilar 







Now list through (he mw^ed code and you 
will find a JuMP to $C0O (at $1477, wliich 
should be $477). This is Ihe real start of the 
program, and the point at which it must be 
stopped. 

Well, you have a computer, so lei it do the 
work for you. This means writing a "'Tape- 
worm", HI a program to load in i.'dch si.igc. 
thjiiyiiig ihc jumps out to mainlam i;oiilri)l. 
Wht*n ihe program has loaded in. return eonlrol 
to tlie user. This is not as hard as ii sounds tor 
ilhis boot process. 

The ROM loads in code at S8f)£). the jump 
to $801 (the first jump). The new code at $80J 
loads more code into the text page thenjim:q}s 
to ii from $8AD (the second jump). 

The last piece of code Irads in the rest pf the 
program then jumps to the start from $477 (thS 
third :md lasi jump). "I'heroarc itow ihrce jumps 
\vc need to manipulate. To start ihc worm, 



move the ROM boot code to $8600 and add 
the code that fcdiows: 

8600<C600 C6FFM 
0\enriia ihe JHF Smi 

86F8:A9 05 

86FA:3DAE 08 

86FD:A9 87 
aian$e ik JMP mm W m? $8705 

86FF:8D AF 08 
Nov jump 10 ik firsi sUjge Imler 

8702:400108 ' 

8705:A9 59 

8707 'BD 7a 04 

870AtA9 -F 

OmS^ % JMF i&COa m ihe 'miiimr 

■a7k:BIJ79 04 
K)!^ second smge loader 
■■%7'#':'id'00ei4 

An 8600G will start the worm, which loads 
all of EDD 4 inio memory and leaves us in the 
monitor. EDD 4 uses the memory from SCOO 
through S5FFF (this includes the hi-res fitle 
page). Part of the memory range from $B00O 
through $BFFF is used by the.pro^^un for disk 
'access. These parts must be moved down and 
later replaced. Lastly the whole thing can be 
saved out of memoiy. The $1C00 page was 
&iv^ so I- ^^oed^thejist^ 

Step bj^ i^ » ' 

Enter the monitor to make the 

tape-worm • , ir 

CALL -IBl 

Move the boot ROM down and 
enter the code to finish the worm. 

860(II<C600.C6FFM 
86F8:A9 05 8D AE 08 A9 87 SD 
870QI:AF 08 4C 01 08 A9 59 80 
8708;7B 04 A9 W mnMM 
8710:00 04 



Insert originaJ and run the tape- 
worm to iBad EDD. 4. 

8S00G 



memory down. 

B000< B0O0.S3ETU 
64OO<B70O.E 



Move the used p&iMWfx^.- hi^ 



? 1 Boota sIav6dirfi-with.a short liello 

program. 

C600G 

Enter the monitor again, 

CALL -151 

I ^ I Add ilie si.ii I up code and meraoiy 



moves: 

1C00:AZ 04 AO 00 B9 60 99 

1C08:00 BC3 C8 DO F7 EE 05 IC 
1C10;EE 09 IC CA DO EE AZ 09 
lC18:Affl 00 B9 00 64 99 00 B7 
1C20:C8 DO F7 EE IC IC EE IF 
1C28:1C CA DO EE A9 00 BD FZ 
1C30:03 A3 C6 8D F3 03 49 AS 
IC38:8D F4 03 AD 57 CO AD 55 
1C40;CO AD 52 CO AD 50 CO 2C 
1C48;10 CO AO 00 CQ 10 f$ 2C 
1C50:10 CO 60 



will run: 
BFDiZO 00 IC 



• -J -e 



Save the whole program (at last^ 
fiSAVE ESSKSJIAI. DATA DUPLICATOR 4, 



For verstiHis h^ef fbanl^,'^ 

When EDD 4 w^aS/iMtaded to support t[|! 
new Apple !!gs (version 4.4 or later) the loaded 
and prograin was changed. Some of Ihe absolute 
addres.ses given have changed and you need lo 
save four mure pages of memory. 

If you follow along with the arfide to verify 
the right locations you can crack any neis 
version that comes out. Tlie,.ci|i^tgt^ ^ 
fellows: 

1. The JMP S4O0 is now at S8AF instead 
of $8AD 

2. The JMP SCO© is now at M7n instead 
of $477 

3. There is a short routine from SSAW0 - 
|8DFF that is needed for the character table 
used by the hi-res disk. scan. It moves itself 
do*rt to S80O-SBFF, and is called "SraMhe start 
qtibe program. 



Here are the 
by- step method: 



L?- I Move the boot ROM dowit 

enter the code to finish the wCtfrtiJ 

B600<CeOO.C6FFM 
86F3:A9 0S8D.fiOOSA9 87 SD _ 
B700:B1 08 4C 01 OB A9 59 8D 
S708:7F 04 A91^-ffi) «ft«4'4& 
8710:00 04 



Move flie used poiiiote 




Mogembar 



COMPUTIST ^ 



m 



I I Add Aemrtyp code a^mmo^' 

moves: 

ICQOUa 04 AO 00 B9 00 60 99 
UmOO BO C8 DO F7 EE OS IC 
1C10:EE 09 IC CA DO EE A2 09 

IClBiAO 00 09 64 99 00 B7 
1C20;C8 DO F7 EE IC IC EE IF 
1C28:1C CA DO EE AZ 04 AO 00 
1C30:B9 00 6D 99 00 8A CE DO 
1C38:F7 EE 32 IC EE 35 !C CA 
1C40:D0 EE A9 00 8D F2 03 A9 
1C4S:C6 SD F3 03 49 M 8Q F4 
1CS0:03 AD ST CO AD S5 CO AO 
iOSS:^ Cb AO 60 CO 2C 10 CO 
1C60:AD 00 CO 10 KB 3C 10 CO 
1C6S:60 

Save [he whole program. 
SSAVE ESSENTIAL DATA DUPLICATOR 4, 



